Biz & IT —

TJX consumer data theft largest in history

TJX, the parent company to retailers like T.J. Maxx, revealed this week that a …

A data breach originally disclosed this January by the parent company of retailer T.J. Maxx could be the largest case of consumer information theft to occur to date. TJX Cos. disclosed in a regulatory filing this week that the company believes that data on at least 45.7 million credit and debit cards was stolen by hackers, and has reason to believe that the actual number could be much higher. The case that previously held the title of largest data breach was the 2005 disclosure from CardSystems, where 40 million cardholder accounts had been accessed by hackers.

The breach happened in mid-2005 and on subsequent dates from mid-May 2006 to mid-January 2007. The 45.7 million cards stolen came from transactions that occurred at one of TJX's many retailers between January and November of 2003. More data was stolen from transactions that occurred between November of 2003 and June of 2004 as well as mid-May 2006 through December 2006, but the retail giant did not attempt to estimate the number stolen from that period of time because that consumer data had already been deleted from TJX's systems. It's unclear at this time why data before November of 2003 was not deleted, however.

TJX claims that at the time of the data theft, about three-quarters of the credit and debit cards stored in the system had expired and/or the corresponding PIN numbers were not stored in the system at the time. However, according to TJX's filing, 455,000 more customers had other personal information compromised, such as driver's license, military identification, and state identification numbers. This information was stored "together with related names and addresses, and in some of those cases, we believe those personal ID numbers were the same as the customers' social security numbers," reads the filing.

"Some banks and payment card companies have advised us that they have found what they consider to be preliminary evidence of possible fraudulent use of payment card information that may have been stolen from us," says the company. More detail comes from the Massachusetts Bankers Association, which says that fraud is now happening around the world. The MBA says that card activity from the breach has been reported so far in Florida, Georgia, Louisiana, Hong Kong, and Sweden, with more reports expected to come rolling in soon. The original hackers have yet to be identified.

The theft of such a massive amount of data occurred, unsurprisingly, due to glaring security holes in the computer systems that process and store payment information. TJX said in its filing that it believes that, during one of the many breaches, the hackers may have had access to decryption tools used by the retailer, allowing them to access credit card information as it was being transmitted for approval. However, the company also said that because they had deleted so much transaction data by the time they discovered the breach, there was no true way to know exactly how large the breach actually was. "We aren't able to specifically identify all of what we believe was stolen due to deletions of data in the ordinary course of business after the believed theft and prior to its discovery, the types of technology used by the intruder in the intrusion and the fact that we believe some data was stolen during the payment card approval process," reads TJX's FAQ page.

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui